Several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public, according to an announcement by a security firm on Monday.
The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.
IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages.
“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” Davis said in a statement. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function.”
Davis indicated that to resolve the issue would require “re-engineering” of the digital alerting system side as well as firmware updates pushed out to appliances in the field.
IOActive didn’t identify the other vulnerabilities in its announcement but did link to an advisory issued last month by the Cyber Emergency Response Team (CERT) that indicated vulnerabilities existed not only in DASDEC-I and DASDEC-II but also in Monroe Electronics systems known as R189 One-Net/R189SE One-NetSE.
These included default administrative passwords that customers were forgetting to change after installing the systems.
Earlier this year hackers used default credentials to break into the Emergency Alert System at local TV station KRTV in Montana to interrupt programming with an alert about a zombie apocalypse.
During an afternoon broadcast of the Steve Wilkos talk show, a loud buzzer sounded and a banner ran across the top of the screen as an announcer’s voice warned viewers that the zombie apocalypse was upon them.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the announcer said. “Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are extremely dangerous.”
Similar attacks also reportedly hit stations in Michigan, New Mexico, Utah and California. The hackers targeted local systems, however, not the national EAS network.
“We were hacked and we’re not proud of it,” Duane Ryan, director of programming at KENW, PBS station in Portales, New Mexico said after the attack, acknowledging that the station had never changed the manufacturer’s default user name and password on its EAS computers. “We’ve changed them now,” he said.
A spokesman for IOActive said that his group released the announcement today only after working with CERT to notify the vendors first and give them time to notify customers and work on fixes. The CERT advisory indicated that some fixes had already been made.
“On April 24, 2013, Monroe Electronics and Digital Alert Systems released firmware version 2.0-2 that disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy,” the advisory noted. “Monroe Electronics has taken considerable effort to provide update information to DASDEC and One-NetSE users.” DASDEC users can also obtain updated firmware and release notes by contacting the companies.
EAS is a descendant of the Emergency Broadcast System established in the 1960s during President John F. Kennedy’s administration. It’s used to alert the public about weather emergencies, disasters and Amber alerts and is also available to the President of the United States to break into programming to announce a national crisis. Initially, the system was designed so that alerts passed from station to station via the wire services of the Associated Press and United Press International, but it now transmits through analog and digital systems.
Last year, the Federal Emergency Management Agency also launched a wireless alert system that delivers text alerts to mobile phones that are compatible with the wireless alert system. They’re delivered to phones with a distinctively jarring tone and vibration to distinguish them from regular text messages and advise recipients to tune in to their local radio and television to get more information.
The wireless text alerts were used to warn Oklahoma residents during recent tornadoes as well as during the Boston Marathon bombing manhunt to tell residents to remain indoors.